CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-285
- CWE-286
- CWE-287
- CWE-282
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 30 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42832 | Hig | 0.50 | 7.7 | 0.00 | May 12, 2026 | Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally. | ||
| CVE-2026-42205 | Hig | 0.50 | 8.8 | 0.00 | May 8, 2026 | Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class… | ||
| CVE-2026-42278 | Hig | 0.50 | — | 0.00 | May 8, 2026 | UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address… | ||
| CVE-2026-41900 | — | Hig | 0.50 | 8.8 | 0.01 | May 8, 2026 | OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to version 2.0.3, a remote code execution (RCE) vulnerability was identified in the OpenLearnX code execution environment, allowing sandbox escape and arbitrary command execution. This issue has… | |
| CVE-2026-20167 | Hig | 0.50 | 7.7 | 0.00 | May 6, 2026 | A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to cause a DoS condition on a remotely managed router. This vulnerability is due to improper error handling. An attacker… | ||
| CVE-2026-33318 | Hig | 0.50 | 8.8 | 0.00 | Apr 24, 2026 | Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no… | ||
| CVE-2026-31018 | Hig | 0.50 | 8.8 | 0.00 | Apr 21, 2026 | In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs… | ||
| CVE-2026-39386 | — | Hig | 0.50 | 8.8 | 0.00 | Apr 21, 2026 | Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings,… | |
| CVE-2026-23899 | Hig | 0.50 | 8.8 | 0.00 | Apr 1, 2026 | An improper access check allows unauthorized access to webservice endpoints. | ||
| CVE-2026-33622 | Hig | 0.50 | 8.8 | 0.01 | Mar 26, 2026 | PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if… | ||
| CVE-2025-5962 | Hig | 0.50 | 7.7 | 0.00 | Sep 22, 2025 | A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls to the history service, an attacker can… | ||
| CVE-2025-7346 | Hig | 0.50 | — | 0.00 | Jul 8, 2025 | Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages | ||
| CVE-2025-1259 | Hig | 0.50 | 7.7 | 0.00 | Mar 4, 2025 | On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in users retrieving data that should not have been available | ||
| CVE-2022-26389 | Hig | 0.50 | 7.7 | 0.00 | Feb 7, 2025 | An improper access control vulnerability may allow privilege escalation.This issue affects: * ELI 380 Resting Electrocardiograph: Versions 2.6.0 and prior; * ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: Versions 2.3.1 and prior; * ELI 250c/BUR 250c… | ||
| CVE-2025-23083 | Hig | 0.50 | 7.7 | 0.00 | Jan 22, 2025 | With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated… | ||
| CVE-2024-55954 | Hig | 0.50 | 8.7 | 0.00 | Jan 16, 2025 | OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root… | ||
| CVE-2024-25133 | Hig | 0.50 | 8.8 | 0.00 | Dec 31, 2024 | A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod. | ||
| CVE-2022-4809 | — | Hig | 0.50 | 8.8 | 0.01 | Dec 28, 2022 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. | |
| CVE-2022-4803 | — | Hig | 0.50 | 8.8 | 0.01 | Dec 28, 2022 | Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | |
| CVE-2022-4689 | — | Hig | 0.50 | 8.8 | 0.01 | Dec 23, 2022 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.0. |
- risk 0.50cvss 7.7epss 0.00
Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.
- risk 0.50cvss 8.8epss 0.00
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class…
- risk 0.50cvss —epss 0.00
UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address…
- risk 0.50cvss 8.8epss 0.01
OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to version 2.0.3, a remote code execution (RCE) vulnerability was identified in the OpenLearnX code execution environment, allowing sandbox escape and arbitrary command execution. This issue has…
- risk 0.50cvss 7.7epss 0.00
A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to cause a DoS condition on a remotely managed router. This vulnerability is due to improper error handling. An attacker…
- risk 0.50cvss 8.8epss 0.00
Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no…
- risk 0.50cvss 8.8epss 0.00
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs…
- risk 0.50cvss 8.8epss 0.00
Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings,…
- risk 0.50cvss 8.8epss 0.00
An improper access check allows unauthorized access to webservice endpoints.
- risk 0.50cvss 8.8epss 0.01
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if…
- risk 0.50cvss 7.7epss 0.00
A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls to the history service, an attacker can…
- risk 0.50cvss —epss 0.00
Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages
- risk 0.50cvss 7.7epss 0.00
On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in users retrieving data that should not have been available
- risk 0.50cvss 7.7epss 0.00
An improper access control vulnerability may allow privilege escalation.This issue affects: * ELI 380 Resting Electrocardiograph: Versions 2.6.0 and prior; * ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: Versions 2.3.1 and prior; * ELI 250c/BUR 250c…
- risk 0.50cvss 7.7epss 0.00
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated…
- risk 0.50cvss 8.7epss 0.00
OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root…
- risk 0.50cvss 8.8epss 0.00
A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod.
- risk 0.50cvss 8.8epss 0.01
Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
- risk 0.50cvss 8.8epss 0.01
Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.
- risk 0.50cvss 8.8epss 0.01
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.